Posted
by
CmdrTaco
on Wednesday July 19, 2000 @12:05PM
from the you-gotta-be-kidding dept.

viktor_haag writes: "Report on MSNBC today of a new vulnerability that exploits a hole in (at least) Microsoft Outlook. The bad news is -- this time you don't even have to read the email; in fact, the exploit can take place before Outlook even places the email in your Inbox. Looks to involve overloading the message's Date header field.
MS says they're going to
release a security patch on July 19 to fix this hole." The irony is of course that we're so jaded by all these sad macro viruses that when something this serious hits, we shrug it off as 'Just another security hole,' but this one is massive.

[ ] You posted something unfunny that will inevitably be modded up as "+1 Funny" [x] You posted something unfunny that will inevitably be modded up as "+1 Funny" by you using another one of your accounts [ ] You started an off-topic thread [ ] You continued a long, stupid thread [ ] You posted a bitchy "Slashdot sucks!" message [ ] You said "me too" to something [x] You suck [x] You brag about things that never happened [x] You spend all day tapping the refresh button [x] You posted something totally uninteresting [ ] You posted sexist shit [x] You wish to avoid the "wrath of the trolls" by flaunting your "edgy" sense of humor [x] You masturbate to pictures of CmdrTaco's shoes [ ] You are the leader of a secret Natalie Portman human-sacrifice cult

[ ] Blow me [x] Bite me [x] Get a life [x] Never post again [x] I pity your parakeet [x] Go to hell [ ] I think your IQ must be 5, join the Marines [x] Take your s*** somewhere else [ ] Learn to post or f*** off [x] Do us all a favor and start linking to Illiad. He's funnier than you. [x] See how far your tongue will fit into the electric outlet [x] Go crying home to your mommy...wait, you still live at home. Nevermind.

I would have to say the scariest thing coming out of the article on MSNBC is the quote "MSNBC.com learned of the flaw June 11, but agreed not to publish the information until Microsoft had a chance to supply a fix." Which has some interesting implications i think. For companys like Microsoft to be able to cover up important press releases is one thing, and for the security crowd im sure you've all heard the term "security by obscurity". It never works. This event makes me wonder what things a company like AOL, who owns too much (MONOPOLY), can cover up at will. If AOL had a security flaw I wonder how much press it would get. I have less faith in AOL software in terms of security then Microsofts but when was the last time there has been a public release of them doing anything wrong? The media sucks is my point.

I'm waiting for the first lawsuit (if there hasn't been one already) that takes Microsoft to task for being negligent in developing software with blatant security flaws. It's unlikely anyone can sue over bugs, but a failure to protect against malicious attackers might be actionable -- especially in the litiginous US.

Does Microsoft guarantee (or even imply) that Outlook (or Windows, for that matter) is secure?

Do we, as software developers, want to work in a world where our software is subject to judicial review? I think not...

At least with cars, they know that the oil needs to be changed every 5000 or so KM, and that when the tread on the tires is bare, those need to be replaced. People are still using IE 3.0! Users generally too lazy to upgrade software, even if there's a known security issue.

Emphasis was mine. This is precisely the problem: I am 100% sure that no one of the other 12 computer users at my office have the faintest idea that there may be security problems related to e-mail clients. We use Lotus Notes (yuck!) here, so I don't mind educating people on this new hole (I've never heard of any LN exploit) and I still think this is a problem to be dealt with by the sysadmins, which I'm not. The point is that most people don't keep insecure versions because they are lazy, they just can't imagine they are at risk. They just trust MS. Now, if I could just figure out why...

If this were almost any other app or company this wouldn't be front page news. How many other apps have buffer overflow exploits? Yes, Outlook has had its problems but look at other apps that have had them. How many problems were there with sendmail? The problems got fixed and it continues to be used today. Until someone comes out with a product to truely compete with OutLook people won't switch. What other LARGE enterprise mail systems are out there that offer the features of Exchange? Security people don't usually pick the mail system, management does. Management just can't pass up the calendaring and scheduling features of Exchange.

Instead of constantly bashing OutLook someone should actually go write a competing client. I'm currently using Mozilla's IMAP client. So far it's the most full featured by far. Sadly, it crashes about 3 times per day and on restart it sometimes won't create new messages. I can't wait for Evolution, but how long will that be?

I'd like to see all the "MS SUCKS!!!" people in here sit down and write an app that does everything OutLook can do. Yes, it has its problems but you can patch it, just like everything else. Until there is another alternative, even a close one, people won't switch.

I myself have been wondering ever since Win2k came out with this "feature" how exactly M$ was going to issue system patches & upgrades. Can't their installer just overwrite the protected files and update whatever registry entries (or whatever) control this feature? Don't know since I haven't played with Win2k as yet....

#include "disclaim.h" "All the best people in life seem to like LINUX." - Steve Wozniak

> Anyway, I think that the problem is people actually getting/using the patch.

There is a very simple, and elegant solution. Write a program that exploits the security flaw that patches the affected system, and then replicates itself. To be carefull it should have a self termination date, and maybe even maintain a list of addresses on a central server that it has been sent to, etc.

Of course there are complications to this, first and most importantly that it is probably illegal. Therefore the above thought is provided for humor and iorny purposes, and not an attempt to encourage anyone to break the law.

Posted never by no-onefrom the not-all-that-surprising dept. Yes, remote root on recent versions of (probably) all Linux-based systems that include NFS. Fortunately, most of them seem to have issued updates already. See the Security Focus Record [securityfocus.com] for a summary (and, yes, an exploit). The irony is of course that we pretend to be concerned with security, but we really care only for ridiculing Microsoft, so when something this serious hits Linux, we don't even report it.

It seems like 90% of all recent (within last 3 years) exploits that are not related to the activeX/scripting model are due to buffer overloads. Using C as the example, even if you specify the length of a char*, you can easily go past that with bad buffer copy mechanisms - even sprintf, I believe, can overflow a buffer. The large number of buffer exploits of late probably came initially from a few small but notable cases, but then suddently anything with variable string input or arguements could become a problem, rising to the number of buffer exploits we see today.

Not checking inputs before the buffer is copied into is a bad programming flaw, but only recently realized as being potentally hazardous. Thus, take all programmers that were in the workforce in 1990, and they would probably have missed adding the buffer checks, but now with buffer overflows a problem nearly every day, programmers in 2000 are much more conscience about it, but there is still legacy code that probably does this buried in code. Especially when the field itself is not thought of in a textual sense (a date field), these things tend to get overlooked in the general design of the program. However, this should only reinforce the use of a lint-like system after various compiles in order to find potental buffer overflows. Languages like C++ and Java provide some protection here assuming you use the typed Strings, but you can still create a buffer overflow without thinking about it.

The story interrupted half-way down for a link to "Microsoft Profits top Wall Street Forecasts"

Not once does the article suggest that the most comprehensive fix is not using Outlook... But wait, how are users supposed to switch email clients when Outlook 4, Outlook Express 4, Outlook 5, and Outlook Express 5 all use different proprietary binary formats?

USSR labs... Did they pick up that name around 1991 by any chance?

Just as with any news source, there's going to be bias. It's just that most news sources don't have such obvious and entertaining bias as MSNBC.

What was the last hole this big? The clipart SHS hole - exactly causing the life_stages joke worm. This time somebody clever will make another virus - and it will spread like wildfire, before it can even get patched!

Our only hope is to make an antivirus email that uses the hole to install the patch and then forwards itself off.

This bug is a standard buffer overflow vulnerability, an accident, and not a design bug

It's interesting, although I agree with all the facts in your post, I disagree with your attitude. In my opinion, this bug is much more disturbing than the damage caused by clueless users who run untrusted applications after countless warnings not to. This is a security hole; allowing users to send attachments is not.

Of course, it is true that this is simply a bug, and it could have happened to anyone. But it didn't happen to anyone, it happened to Microsoft, and they deserve some measure of condemnation for it.

If any of the following apply to you, you are not affected by this vulnerability:

- You are running a default installation of Internet Explorer 5.01 Service Pack 1. - You are running a default installation of Internet Explorer 5.5 on any system except Windows 2000. - You are using Outlook and it's configured to use only MAPI

If none of the above apply to you, you are affected by the vulnerability.

-- So all you Linux users, beware.:)

Anyways, it's this kind of warped logic that caused the bug in the first place.

I think I did it again I made you believe you've got security Oh baby It might seem like a feature But it doesn't mean that I'm serious 'Cause to lose all my reason That is just so typically me Oh baby, baby

:Chorus: Oops!...I did it again I created a bug, got lost in the game Oh baby, baby Oops!...You think it's secure That its sent from above I'm not that innocent

You see my problem is this I'm dreaming away Wishing that bugs, they don't exist I cry, watching bugtraq Can't you see I'm a fool in so many ways But to lose all my customers That is just so typically me Baby, oh

:Chorus: Oops!...I did it again I created a bug, got lost in the game Oh baby, baby Oops!...You think it's secure That its sent from above I'm not that innocent

Yeah yeah yeah yeah yeah yeah Yeah yeah yeah yeah yeah yeah

"All aboard" "Bill, before you go, there's something I want you to have" "Oh, it's beautiful, but wait a minute, isn't this...?" "Yeah, yes it is" "But I thought the old lady dropped it into the ocean in the end" "Well Billy, I went down and got it for you" "Oh, you shouldn't have"

Oops!...I did it again to your trust Got lost in denial, oh baby Oops!...You think that I'm sent from above I'm not that innocent

:Chorus: Oops!...I did it again I played with your heart, got lost in the game Oh baby, baby Oops!...You think I'm in love That I'm sent from above I'm not that innocent

:Chorus: Oops!...I did it again I created a bug, got lost in the game Oh baby, baby Oops!...You think it's secure That its sent from above I'm is not that innocent

Basically, you fill a fixed-size array with enough data so that you overwrite other parts of the program, do some magic (which is somewhat explained here [infonexus.com]), and then get the program to execute some arbitrary code of your own writing. Developing said code (i.e. actually writing the exploit) generally takes time, and is limited to one software/os/platform/version combination.

This has *no* relation to how the code is initially written.

A program which reads one line of code from the user, saves it to a fixed sized buffer, and then prints it out is vulnerable to a buffer overflow.

Do any of these security exploits happen in Exchange? Every time an Outlook hole is revealed, we Exchange users also get the patches broadcast to us, but I don't remember hearing anything ever said about Exchange -- only Outlook, which will run on my work machine only after they fire me for refusing to have anything to do with it.:o)

"This is certainly a serious one," said Steve Lipner, manager of the Security Response Center at Microsoft. Lipner said the stand-alone Outlook patch might not be ready until Wednesday, but concerned Outlook users can protect themselves immediately by downloading and installing the newest version of Internet Explorer at Microsoft's download site. That software includes code that will stop the vulnerability.

So the way to stop the virus is to load IE5.5? Why? Did they already know about the virus for a while and do nothing to tell anyone else (ie. release a patch for the existing users while developing the future release)? Sound like a malicious plan to force users to upgrade to a new version, as long as the bug wasn't uncovered too soon.

I nearly drowned from beer inhalation when I learned about this ummm...feature from a friend whose firm is an early adopter of W2K. Not that the umm...feature itself existed (what sysadmin hasn't at one time or another wished for an umm...feature like this to protect hisorher systems from lusers), but that Solitaire was one of those protected system files you couldn't delete without it being resurrected. I was ROTFLABBTMN when I heard that.

This bug is a standard buffer overflow vulnerability, an accident, and not a design bug like automatic or near automatic execution of executable mail content (sheesh), responsible for the previous mail worms and viruses. I do not want to be seen as defending Microsoft's practices, their ideals, or their bad program designs (e.g. aforementioned executable mail content). HOWEVER, a buffer overrun bug like this is not an inherent misfeature of Microsoft's design. It's a bug plain and simple, and furthermore one that has affected and continues to affect many, many Unix programs. This could have happened to "us", in other words. (If there were a buffer overrun problem in fetchmail, for example -- there isn't, but suppose there were.) We can and should rail at Microsoft for designing in weaknesses like that which made the ILOVEYOU fiasco possible. With a buffer overflow problem, I think that the "may he who is without sin cast the first stone" principle must apply. One of their anonymous programmers made a serious mistake. Same mistake has been made, over and over, in virtually every Unix system daemon since the Epoch. They get fixed (with an alacrity usually proportional to the consequences of an exploit) and that's that. And though I passionately believe in Open Source, please note that the fact that the source for most of those daemons has been examined by thousands and thousands of people, they never got fixed all at once. For example, -every- Red Hat Linux distribution in memory has fixed some buffer overruns and introduced others.... kiscica

As I understand it, any language with unchecked array bounds is subject to buffer overflow problems. Java, for instance, can't have buffer overflow problems; if i declare and int buffer[4] and try to write into memory location buffer[5], an exception is thrown. In C, however, writing into location buffer[5] simply means that I write into memory adjacent to the end of the array

(Nitpickers: yeah, I know, buffer[3] is really the last allocated space, meaning that the starting address of buffer[5] is actually 4 * sizeof(int) from the start of the array, and not adjacent to the end of the buffer. Children should be taught to count starting at zero.)

So, it is a vulerability specific to languages that don't check bounds on arrays. However, it is just as much the fault of the programmer. If you don't validate input, you shouldn't be surprised when things don't go as planned. In a Java program that wasn't given special bounds checking, the program would die on the exception, better than providing an exploit, but bad form nonetheless.

> Why is this the first internet virus > that someone with a brain could > actually fall for?

People "with a brain" wouldn't be using such a horribly insecure mail client in the first place. There's a reason you don't hear about exploits like this affecting users of other mail clients such as Netscape Messenger (for example).

This security hole could potentially become a nightmare, but only to those people who use Microsoft's inferior mail software. Microsoft has set back computer security by years. Take these old pieces of virus protection advice:

You can't get a virus simply by reading a message - not true anymore, thanks to Microsoft.

Viruses cannot be contained in plain text messages - also not true anymore, thanks to Microsoft's Windows Scripting Host and lame VBA viruses such as I LOVE YOU.

Virsuses cannot be contained in image files, sound files, video clips, or other file formats, only executable binaries - still technically true, but thanks to Microsoft's "hide extensions of known types" feature, you can see viruses like "innocent_file.jpg.vbs", which appears in Microsoft clients as "innocent_file.jpg". Launching this file will, of course, trigger the virus.

Microsoft needs to admit that Outlook is fatally flawed. Since this will never happen, it's up to people like you and me to educate and inform anyone and everyone. Companies that mandate the use of Outlook or Outlook Express (I used to work for such a company) especially need to be educated.

A non-default installation of IE 5.01 SP1 or IE 5.5 also will eliminate this vulnerability, as long as an installation method is chosen that installs upgraded Outlook Express components.

The *REASON* I did a non-default installed of IE 5.5 was so I could EXCLUDE Outlook Express because I use Outlook 2000. So basically MS's Internet software is so "integrated" that you can't have one be patched for security reasons without installing all of them... even if that means redundant email clients wasting space.

I could care less if Microsoft is a monopoly... this bundling/tying/integration crap must stop for exactly this freakin reason! It's like if one part of the system is insecure, it makes ALMOST ALL OTHER MS APPS vulnerable. Anyone with half a brain can see the implications of this sort of methodology to software development. So the question is, who has Microsoft's half brain?

In an email from our IT division that I recieved recently, I read that SANS hopes to be using a "virus" email patch- a virus email that exploits the problem to quietly patch it.

Neat idea, using a virus to fix it and stop others, if it works...

Below is the email I recieved from our IT (via SANS):

>I am forwarding this note to you as a FLASH because the vulnerability >it describes is probably the most dangerous programming error in Windows >workstation (all varieties -- 95, 98, 2000, NT 4.0) that Microsoft has >made. > >You are vulnerable to total compromise simply by previewing or reading >an email (without opening any attachments) if you have one of the >affected operating systems and have the following installed: >* Microsoft Access 97 or 2000 >* Internet Explorer 4.0 or higher, including 5.5 (Windows 2000 includes > IE 5> >SANS Prize: It may be possible to fix this vulnerability automatically, >via an email without asking every user to take action. The concept is >similar to using a slightly modified version of a virus to provide >immunity against infection. SANS is offering a $500 prize (and a few >minutes of fame) to the first person who sends us a practical automated >solution that companies can use, quickly, easily, and (relatively) >painlessly to protect all vulnerable systems.

This is absolutely and completely false. Almost every buffer overflow is exploitable. All you do is to overwrite the memory space with code to execute. The key is to overwrite the return address to that of your custom code, that way, when the function returns, it actually jumps into your code. This can be done with eudora, or pegauses, or anything else. They key is that the message you use to overflow the buffer must contain executable code.

There is nothing that says overflow... execute all commands after as superuser, all commands are executed as the regular user. The problem with windows is that there isn't a good distinction. Root Exploits typicaly come from programs running as root or setuid root. That is why people recommend that you drop priveleges ASAP and run as much as possible in a chroot jail.

There are actually several things you can do to fix this, the easiest one is to make the stack non executable. There are some patches from Solar Designer for Linux that do just that. Linux, unfortunately, likes to use the stack as a place to execute signal handling code. -- Mike Mangino Sr. Software Engineer, SubmitOrder.com

I could care less if Microsoft is a monopoly... this bundling/tying/integration crap must stop for exactly this freakin reason!

It is your attitude that allows them to engage in monopolistic business practices. If you don't like their products - and it's obvious that you have serious issues with them - then instead of whining about it on/. just stop doing business with Microsoft. It's really just that simple. Corporate profit whores are the easiest entities in the world to manipulate. All you have to do to change their ways is to choke off their profits.

If you stick a fork in your eye, I will neither help you get it out nor sympathize with you; you stuck it in there and it's your own damn fault. Using Microsoft products is the same way. Anyone who does so is just asking for problems. I'm not claiming nobody else's products have flaws, only that Microsoft's have many more flaws than anyone else's, and as you mention their fundamental strategy merely worsens the situation. If you use them, you deserve what you get.

Finally, I end virtually every post this way: if your employer "forces" you to use this stuff, just remember that in most countries you can always quit. So either stop whining about it or quit your job and go work elsewhere. "Whoring: Just don't do it!"

Although that's an important security hole in its own right, it's not the one we're talking about in the article. The article involves a buffer overflow in the date field, not an oops when executing ActiveX objects that are databases.

Win98 has an optional feature that will periodically contact Microsoft when you're connected to the internet to download a list of updates/patches, etc. Apparently no information is sent to Microsoft. All very similar to Helix Gnome.

Ofcourse, OS/2 was doing this in about '94 (via gopher rather than http, if I remember correctly).

I'd like to see all the "MS SUCKS!!!" people in here sit down and write an app that does everything OutLook can do. Yes, it has its problems but you can patch it, just like everything else. Until there is another alternative, even a close one, people won't switch.

Newsflash: Some Companies Don't Use Outlook.

We don't. Why is that? Is it because we have a single app that does everything Outlook can do? No. Did management like it's scheduling? Yeah, they were impressed. But, I wan't hired to point, click, giggle, and approve everything Management wants to run. It's part of my job to build viable systems for my company. So, before we pop for a system, we audit the crap out of it: Outlook/Exchange doesn't even come close to cutting it, "features" or not.

See, we have a different view on the Web. An example: Since our first purchase of bsafe licenses from RSA labs, some 5 year years ago, we've run a secure inter- and intra-net for our clients and employees. Scheduling, Calendars, Mail, Document Sharing/Transfer, Routing, Storage, Directory Services, some B2B and Timesheets, Printing and PDF generation from Word Documents and Faxes.

As for bugs; well, we're always in development:^) We've had several minor security issues, some early ones were, like this, bounding checks that didn't. Some memory leaks in 3rd party libraries. A few browser issues. Harmless stuff. Never whacked a file, or accessed secure information without the consent of the user. Never. As lead developer, I can honestly claim that our product easily does more than Outlook, and is virtually browser independent (SSL the only requirement). (Of course, you could just shitcan my comment, because it's a Server app, and not a Win client app, and we don't sell it, and..and...:)

Anyway, I can walk the walk. So, let's talk the talk.

There is no excuse for shoddy code and poor design at the Enterprise level. None. There are tons of relatively inexpensive tools that take care of beginner mistakes (like bound checking) for you, and may I remind you Microsoft should not be a beginner. Where are the coding wizards that bloated the Doom egg into Excel? And don't even start to winge to me about "so many lines of code crap", either. I don't care how many lines you bloat into a product: if the design is poor, you're in for the big lose. And, make no mistake about it, the VBScript security concept is simply Nonexistent. A pathetic afterthought -- a late-night crapfest of coding that makes the I_Love_You virus read like Shakespeare.

To make matters worse, Microsoft leveraged the farm on the VB Concept. Every "application" has a backdoor^h^h^h(Screw it, it's a backdoor) propped open wider than than the fridge at an "All-you-can-drink" Mardi Gras party in the Big Easy.

Uh...Wait...My Spidey Senses are telling me that the party line at Microsoft is that all this scriptability is The Big Win for productivity! Really!! You can cut/paste/drag/drop/bone/fillet/chop bits between all your apps! Isn't that exciting? Huh? Don't you want to be able to execute arbitrary code from an Excel spreadsheet, popped open by an untrusted 3rd party.OCX, driven by an Access 02 database automagically opened in Word?!? MmmmBoy!!! Smell That Innovation!

Got some not-so-much-news for you guys. That mind-numbing stench isn't innovation. It's a deceptively high-minded concept for individual power users, visciously mangled by Microsoft's complete inexperience with the multi-user/internet like some lean ground beef chew toy tossed to a pack of rabid weasels. 99.99% of the world doesn't use it, doesn't want to use it, and couldn't care less about it. The 0.01% that recognize it's existence are about equally divided on the subject: Either they've already disabled VBScripting on their machines, or they're writing code to exploit the other 99.99%

Would you be happy with a caretaker for your house that leaves the key in the lock and puts up a sign that says "Gone Fishin' 'till Tuesday"? And they knew about it since they shoehorned basic scripting into Word 95. It is beyond my comprehension why people believe that scripting viruses "just happen", like they're some Normal price of doing business. You hear crap like "That Loser who wrote this virus should be shot!", or "We lost (m|b|tr)illions of dollars to Melissa/Zipped_Files/Good_Times, someone should pay!!!" And the folks never take the time to think

"Why was is so damn easy to do?"

Because they made it easy to do. I mean, LOOK AT THE CODE, folks. Melissa and it's ilk are hardly rocket science. I_Love_You.vbs isn't a freakin' masterpiece. It's a script that should never have been allowed to run. Where's the security!!! Aunt Sally and Uncle Bob didn't want to run it. They don't know VBScript from Shinola. Yet, it ran on their box. Without their consent. Without their knowledge. And whacked all their files and mailed all their friends -- who continued the cycle.

What do you hear from Microsoft: "You have to stay Vigilant!" and "Those Devious Geniuses! They Struck Again!", and the popular "No System Is Ever Free Of Bugs" They crank up the spin-fest and fill Joe User's head with cheezy crap that sounds like it came off a bottle of cheap shampoo: "Upgrade, Set Options, Pray, Repeat!"

Unfortunately, many updates are not worth doing for the majority of people. If IE 3.0 does what you want, you shouldn't have to make a 2-hour plus download just to stop a bug that shouldn't have existed in the first place.

Another problem with upgrading is what I call the Bullshit program' problem. On my Windows box, I use Office 97. I saved a word file and sent it to a friend. It was just under 1.5 MB. He uses Word 2000, and a while later, e-mailed me the file back, for reasons I won't go into. It had grown to 4Mb, and was in the Word 2000 format, which I couldn't open. I e-mailed him and asked what he had changed in the file, other than the format. He said: Nothing.

Many upgrades give the average user nothing more than features like OS integration and annoying talking paper clips. Which they don't want. These 'upgrades' regularly have a large download time and/or price tag.

It's very easy to blame Microsoft for letting a buffer overflow problem like this slip through. Just dump Outlook, right? Use [insert favorite non-MS product name here] instead and everything will be fine...

...not. While I am certainly not willing to excuse Microsoft in particular for this specific instance, it is unwise at best to assume that the same type of weakness does not, or will not in the future, exist in other, competing products. Given that software developers have shown, time and again, that they are unable or unwilling to catch and prevent this type of weakness from getting through, perhaps it's time to look for a stronger solution.

Specifically, perhaps it is time to fix the infrastructure -- in this case, Internet mail as a whole. Although it would be unfair to compare it to something as weak and outdated as QWK mail from the ol' BBS days, there are abundant weaknesses in the current model for Internet mail that allow nasty things like mail header security exploits. And spam. Imagine if spam was not just antisocial and/or illegal, but technically impossible?

How long can a date field be? For that matter, how long can any header field be? (No, I'm not asking for a technical answer based on the current system, I'm suggesting that you think about the meaning of the fields, and the maximum length necessary to impart that meaning.) Given that mail client software authors are demonstrably ignoring such length limitations, is it not time to enforce at the protocol level some basic validity and, ideally, permission from the recipient?

I don't have a blueprint to roll out for you. However, as long as we focus on the weaknesses of this or that client, server, company, etc., we are missing the boat.

Other people are going to yell "monopoly", but I have a different take on it. I work at a small company, and on occasion I develop custom software for our clients. My bosses are really cool guys that understand the work I do, and if I tell them that I don't have 100% confidence in something I wrote, it doesn't leave the door. At MS, it seems that marketing is completely running the show and they have no clue what the nerds are doing. I can see things like fiscal years and competitor release dates causing MS managers to yank unfinished software away from the engineers. It's a good way to make lots of money and produce really aweful software.

I wonder how many people submitted that. I put mine in about an hour after this TechWeb article [techweb.com] came out.

It'd be cool to see some cut-away of the slashdot experience. Like, are the posters the ones who hit reject or accept? Is there an early team that does some filtering? Is one nay enough to reject an article, or do a few people look it over?-----

Per posts in NTBugTraq, the actual bug is within Internet Explorer, and is made visible in Outlook and Outlook Express due to calls to the faulty code.

The bug has been fixed in IE 5.01 SP1; so there already exists a solution to avoid the bug on a Win box. Also, on Win-9x, IE 5.5 also avoids the bug; but on W2K, IE 5.5 still carries this bug (go figure).

In my opinion, any bug fix from MS isn't going to accomplish much. The majority of systems which are reportedly vulverable are home systems where the users have failed to download the readilly available SW upgrades. If the users failed to download the upgrades, I doubt it's likely that they'll get around to downloading the bug fix either.

I have worked in software companies for 8 years, and I can tell you bar none, that 90% of quality problems are caused by a marketing-driven schedule and feature set.

Yes, it's unavoidable that sofware has to sell to finance it's own development, and selling on a schedule is a requirement of marketing.You line up magazine reviews and trade shows months in advance, if the software doesn't ship on time, you miss this window, you end up losing a huge potential in sales - because of lack of hype. I've seen damn good products die on the vine due to missing the window; and I've also seen instances where the sales force of a large software company will only sell the best selling (largest bonus, easiest to sell) product, and ignore the rest, causing other products the company sells or introduces to die, all because nobody will stand up to the sales director and tell him to tell his people to get their asses in gear.

Other factors have been the easy ability for software companies to ship with massive defects to match a schedule, and put a patch on the web for downloads later - this was not nearly as common back when customers had to dial into a BBS for a patch (before widespread use of the web).

Basically, it's more of a competitive advantage to get a market presence (we're talking vapor here), than it is to ship a good stable product.

Who to blame?

The trade press. Whether the reviews are accurate or not, they still sell their rags. My company has a whole department of people whose job it is to "manage trade press relationships", that is, to make sure they get a favorable review. If we had a serious bug during an evaluation, our people fly out there and pucker up to the journalists, and no mention is made of the bug in the review.

This is life, in the software industry folks. It's only gotten worse. And it will only get still worse.

This may be slightly OT, but this seems like the best place to post it since I doubt it would get a story of its own. Got this from the SANS Institute [sans.org]. Apparently another problem involving IE 4+ and Access 97 or 2K on just about every Windows platform. Don't think I've seen this one posted here. You can read about it here [sans.org].

these things are really really really difficult to find... I mean... how many of your QA people will sit around and write low-level code to include in every possible field to test for buffer overflows...

I dont know of any where i work that are capable of even thinking about that... granted MS may have the best minds for it, but really, truthfully...

BUFFER OVERFLOW EXPLOITS HAPPEN...

now... they should have fixed it sooner... hell... they had it since JUNE 8th...

Bring back pascal! What this country needs is strong type checking and a good national buffer defense! Vote for me in the next e-lection and I promise new F(nord)ederal regulations to require bounds checking for arrays and strings in all alpha, beta, and gold releases of all new compilers and interpreters. These evil buffer overflows must be stopped! Thank you, thank you very much.

MSNBC.com learned of the flaw June 11, but agreed not to publish the information until Microsoft had a chance to supply a fix. That's standard practice in the computer security business in order to prevent possible harm to computer users.

The email is stored on a server, your mail client retrieves it and then parses it before storing it in your inbox. According to the MSFT security release [microsoft.com], Outlook doesn't check that all the fields are the correct size while parsing it...thus buffer overflow.

Unfortunately there's a fundamental disconnect in the corporate world between the security conscious admins and management. Mangagement wants things easy and standardized, and (for the most part) admins want things secure. These exploits can crop up every week and it won't do a thing to convince management that outlook is a bad choice.

Admins will continue to throw in layer after layer of mail pre-filtering software at the delivery level, when they should really just be able to get a secure MUA on their users' desktops. --

I don't know about the rest of you, but I was rather tired of hearing the mass-media crying bloody murder against one or another teenager that happened to set free the newest and lamest VBA macro-virus.

At least this time it is a real bug, not a feature, and it has Microsoft working overnight to correct it. Those who remember the glorious days of early sendmail versions know that we've already been there, done that.

You'd think the virtual memory system could just deny execute access to memory alloc'ed by C. I gave it a try using VirtualAlloc with PAGE_READWRITE (not execute permission). Windows still exec'd the code. Maybe a kernel hacker could tell me if this is a limitation of the intel VM or another one of Bill's stupid mistakes.

...It is your attitude that allows them to engage in monopolistic business practices. If you don't like their products - and it's obvious that you have serious issues with them - then instead of whining about it on/. just stop doing business with Microsoft...

I wish things could be that simple. I'm currently setting up some machines for my folks. when I suggested an OS other than MS, they requested Windows not because of the OS but the application software they want to run on it (in this case accounting software.) The alternatives on Linux for example are not an option as we (.au) have recently implemented GST (goods and sales tax). As there is no *nix port of their software (MYOB), they have no choice. Though I have heard mumbles of a Linux port on my local LUG.

It isn't so much that there's a bug that concerns me, it's that it took this long for anyone to pick it up. The bug has been in every version of Outlook, and that's been around for quite a long time now.

In the end it was discovered by an independent entity, and considering that Microsoft doesn't traditionally open their development to outsiders, they have no control (directly or through probability) of who that entity might be. If it wasn't a security firm that discovered this first, it could have been anyone.

IMHO, they should instead have an internal infrastructure to find these things for them before anyone else can. People trust Microsoft to provide them with secure products, yet Microsoft is at least partly relying on the users to find the security holes.

Finally, I end virtually every post this way: if your employer "forces" you to use this stuff, just remember that in most countries you can always quit.

So you're suggestion is that I should up and QUIT my chosen profession which happens to be a PDA and Mobile electronics analyst where I'm senior editor of a *very large* site devoted to the subject. A site that is my *full time job* where 99% of the products and services we cover have direct ties to the most popular PIM on earth, Outlook 97/98/2000.

Yeah, I'll just up and quit because you've convinced me that Microsoft's integration that requires components of software packages that you DO NOT WANT just to fix a security problem is all my fault, you're a brilliant man... I've always wanted to pump gas for a living anyway, I guess it's better than "whoring".

(If only life were as simple as the self indulgent zealots try make it seem.)

Those are the moderation totals on the parent (this) [slashdot.org] post, as of 7:26pm 7/19/2000.

Before you dismiss this as off-topic, read on.

How is it that 3 people think that this is an interesting or informative post, and 2 people think that he is Trolling, i.e., intentionally trying to disrupt an intelligent conversation?

If something is thought-provoking, it is insightful, even if you disagree with it. If something is a deliberate attempt to disrupt a conversation, it's a Troll.

Now, to get on-topic: Yes, remote root on recent versions of (probably) all Linux-based systems that include NFS. Fortunately, most of them seem to have issued updates already. See the Security Focus Record for a summary (and, yes, an exploit).

It's on-topic. It's thought provoking, and it's informative. He hunted down a link for you. It's a massive security hole, just as big as the one in Outlook. Yes, you may disagree with his opinions or conclusions (I sure as hell do - no one is being paid billions of dollars to quality control Linux, it's the difference between a flaw in a gift and a flaw in an expensive PRODUCT) but that doesn't mean he's trying to disrupt the conversation. This comment is an insightful reality check. If his link was bogus, or his information was incorrect, Troll him. But if his facts are VALID and you disagree with his OPINION, mod him UP so we can all think about it and decide.

Moderation is not about supressing opinions with basis in fact, it's about supressing l33t hax0rz who want some Natalie.

Calling this guy a troll makes us look bad. Mod him up, and take his argument apart.

OK, MS should kick out all the office/outlook express developers and hire new ones. But... why do I have to read about an exploit in a MS product on the main page, while there are zillion other exploits in other programs as well but these are NOT mentioned on the front page? I can understand you all can drink Bill Gates' blood for breakfast but please, keep the news informative. If people want to read rants about MS bugs they'll visit zdnet or bugtraq. I don't see why this is nerd/geek or crap that matters' related. It's pure ranting and raving. And after all these years, you still don't understand that whining about the lack of good programming on 'the enemies (enemy? like in a war?) side', doesn't help your own good, it doesn't make your own side's code better.

(the only purpose for this non-informative crapnews I can think of is: it must be a hint for a new conversation at the coffeemachine, when that nice blond from Marketing is at the coffeemachine at the same time as you do:)).

So all Microsoft bashing aside, how do things like this get out the door? To me, it almost seems that they are purposely not doing any sort of testing at all. I know about the jokes that say they get free testing by releasing their alphas, but seriously! So many people around the world depend on their software, you would think that they would put it through hell and back, but products continually come out of Redmond with serious, serious flaws.

I mean, how long did it take someone to find a hole in IE 5.5? Like 3 days??? Putting aside all the joke and the "evil empire" comments and everything that the/. community feels about Microsoft, don't you think that a company of that size (and with their software controlling so many critical sites around the globe> has a responsiblity to go overboard on quality assurance? We should be hearing horror stories from ex-employees about 48 hour testing binges and slave driver QA directors. That would make me much more comfortable than the consistant major flaws that keep appearing.

This was reported by the SANS Institute, yesterday, and therefore MSNBC presumably felt trapped between the Devil and the deep blue sea. Drown in complaints or get fried by Red Mond.

I find these sorts of holes fascinating, especially in light of Microsoft's sales pitch of selling C3 secure systems. (Yes, this is the least secure you can get, and still get a rating, but the badge is still being used to promote the idea that Windows is secure.

One thought I had, after reading this news - if WINE could be made sufficiently stable & complete, it shouldn't be too difficult to write a virus which replaced MS' Windows with Linux, without the users even noticing. Do that, and Linux could subvert 98% of the desktops on the Internet within a matter of days.

(Wouldn't this be, well, illegal? Not if you put a shrink-wrap licence on the virus, which stated that running the virus constituted the user's agreement to the OS switch. If the licence failed to appear, and the virus ran without the user being able to detect it, well, that becomes a Microsoft issue, not a viral one.)

Tone and delivery are just as important to delivering an argument as the facts and basis of the argument. Never forget that.

A rabid Linux zealot that runs into a convention of MCSE's and starts slamming everthing and everyone around him won't be treated nicely, even if every argument he uses is based in fact.

That said, the post to which you refer was just that. His post was inflammatory and arrogant. Troll, perhaps not. But worthy of the 4 positive moderations it was awarded? I think not.

On another note, I'd say an NFS vulnerability isn't as major as this Outlook one is, not by a longshot. And I can name dozens of Linux security exploits that have come out recently. They don't get this sort of press because of facts like 'MS has been sitting on this exploit since mid-June' and 'MS still has not released fixes for it's flagship product, Win2k.' And at least with the NFS vulnerability, you can choose to turn off your NFS server. Telling people they can't check their email is a lot less of an option.

the bulletin specifically states that if you do a default installation of Internet Explorer 5.01 Service Pack 1 or Internet Explorer 5.5, this will automatically install and/or upgrade to Outlook Express 5.5. Microsoft has specifically stated that OE 5.5 is -not- vulnerable to the issue that USSR Labs discovered. It should be noted that if you are running Windows 2000, you may have to apply the patch (which is now available) or do a manual upgrade to OE 5.5.

This may be old news to some of you, but I just recently discovered this one. Had one of my users bring me his laptop with a variety of problems on it. Had the usual glitches that form up after a while on Win98, but one of them was especially interesting.

His Netscape kept loading up this GoHip web site as it's default home page. Even going into the preferences in NS would only change this until the next re-boot. Had me poking around all over his system trying to figure out how his default home page kept getting changed. I couldn't find anything in the registry or.ini files that looked to be starting up that was out of the ordinary.

I then popped on over to this GoHip web site to have a look. Right on their front page is a link that states something like "Make GoHip your default home page". The clever bit was that this was not a link to some how-to about preferences. It linked directly to a.reg file. This site was able to tweak registry entries directly from the web!

Once I managed to download this.reg file to my local PC I was then able to trace back what all it had changed and get this thing off his system. I knew Windows had some security problems, but I had no idea it was THAT open to an attack.

Now just imagine sending someone an E-Mail with an embedded meta tag that redirected you to some.reg file you've got mirrored on a number of free web hosts. Heck, all I'd have to do at that point is delete the file association to.exe and.com files, which is just two lines of the registry, and I'd have your system rendered useless.

Mind you, I strongly disagree with this monopoly case that is presently going on. The details of this I'll save for later. On the other hand, I would have no problems at all with Microsoft being held criminally liable for gross negligience. None of what I'm talking about here is a secret to Microsoft, and still they continue to put out a known faulty product. How long do you think folks would put up with flaws like this from Ford, Honda, or any other car maker?

And I think its time that MS admitted that. The program is too full of holes, too badly designed, to continue. It should be scrapped, period.

The likelyhood of MS actually admitting the above, let alone following through with my suggestion, is nil. But I think the fact that the hole has been a KNOWN exploit since June 11th and a patch was not made available even a MONTH later is very telling.

Truly, this hole longer than that.. wasnt there a whitepaper about 6 months ago from the authors behind BackOrifice detailing how this kind of exploit was possible?

USSR labs decided that they would hold back details until MS produced a fix. Understandable, I mean, they wouldn't want everyone to be developing exploits for the vulnerability while MS sits on it (Yes, I understand that security through obscurity doesn't work, but I'm sure that USSR would've released details if MS had refused to comply in a timely fashion). Anyway, I think that the problem is people actually getting/using the patch.

Sure, sysadmins will probably do corporate work to clear this up, but people do worse jobs maintaining software than they do their cars. At least with cars, they know that the oil needs to be changed every 5000 or so KM, and that when the tread on the tires is bare, those need to be replaced. People are still using IE 3.0! Users generally too lazy to upgrade software, even if there's a known security issue.

This flaw is not relegated to Outlook only - any email client which uses the IE engine to display HTML content (Eudora is one such mail client) leaves the door open for this exploit

Two points: If you had read any of this, you would know that the problem is in the transport mechanism of Outlook (the components) - NOT the displaying of the text. Eudora uses its own system for that. Eudora CAN (in the later versions) use the MSIE engine to display message (for the extended HTML parsing), but it doesn't HAVE to do this, its a feature users can set as they please.

Novell's Groupwise has a neat little date field exploit. It doesn't crash or anything, but if you set the date to the distant past, say, the year of 1985, the message will seemingly "self destruct" after it was read and shuffle itself at the old of the mail spool. Its a cool trick if you want a message to disappear after someone reads it. In the spirit of Inspector Gadget (the cartoon, not the stupid movie,) include the quote, "This message will self destruct in 30 seconds."

Anyhow, for more fun, take a look at the source for msnbc's article. It is one HUGE mess of scripting for a short little article. What are they trying to hide in there? Easter eggs? Why all the features for just a damn story?

someone didn't read the whole thing. The major vulnerability is malformed date tags that outlook reads BEFORE the user can even get to them. insanely large numbers in that date field cause a buffer overflow. This is only a userland problem in the way that they are using outlook.

It seems that Windows is also suseptable(sp?) to buffer overruns. It is good that they already have fixes for some of the programs, but they need to escalate fixing the problem quickly, before some hacker decides to create another virus. Lets see how long this takes them to get a fix for the rest of there versions. If it is more than a week they are moving to slow. If it is a matter of telling people to upgrade then that is what they should do. Linux and other UNIXes do this all the time.

Rubbish. I don't use anything from Microsoft, and haven't for at least 4 years. You and everyone can do the same. Fact is, most people don't care enough about the issue to do the necessary investigation to take this step.

The suit against Microsoft is tripe and nonsense. The only way anyone can have a monopoly is if people choose - yes, choose - to do business with them. Sorry, you lose on this one because the argument is irrefutable. No business, no profits, no market share. There is a choice. There is always a choice.

Looks like they do. Granted, there're more MS security holes posted. However, I would say that there are more MS security holes. The problem only arises when/if they are posting in a proportion (MS vs. Open Source) that is not close to the real proportion of significant problems.

Ouch! This is the second time in a week i've been burned (had to do extra work) by security flaws found in Microsoft programs. I've been thinking about the need for a standards organization, or certification authority, for some time now. The question is; how would you set up such an organization, and would you trust it? An analogy: All of the major e-commerce sites on the web today buys their SSL certificate from one of the big CA:s, VeriSign for one, because that's a trusted entity. Wouldn't big progam houses be interested in getting their applications branded "Secure" by a likewise trusted authority? (think CERT) My guess is yes. Microsoft, for example, would benefit (at least in large, mission critical installations) from having their source code audited and confirmed by a third party. When we have open source, most problems are found early (many eyeballs make shallow bugs) but not all. Think of the Wuftpd exploit last month. Is there, perhaps, even a need for an open security auditing organization?

It seems to me that the biggest security risk would come from newly added features to a product. Perhaps MS add more new features to their products than people? They're not playing catch up like other people.

Of course, so might say that it is just because MS are incompetent when it comes to security;)

The problem with real security issues like this one is the number of people who fail to keep up to date on all the latest patches. The infamous Morris worm, for instance, was essentially nothing more than a collection of exploits that had already been published and worked around. It's just that the relatively clueful, but overworked SysAdmins, hadn't installed them yet.

I shudder to think how many clueless MS users will be out there with this vulnerability - even five years from now.

Why is this the first internet virus that someone with a brain could actually fall for? Why did it take this long? It seems to me that most virus writters have been bent on having fun without risking a lengthy jail sentence. As a result, we have nothing but these little cheap worms that still cause an incredible ammount of damage. Can you imagine the damage if this thing wormed? And yet, even if this bug actually gets exploited, I doubt it will be malicious. It will probably end up in the advertising method descibed in the article. Cheap thrill.

But at this point in time, one individual could probably bring down the entire internet and then some. Imagine what would happen if someone used this bug to load a CIH-type virus on every computer. Suddenly, the majority of the world's computers go out simultaneously. It'd be mass destruction - and virtually untracable. (Can you imagine what would have happened if someone did this on Jan 1?)

But I don't think any of this will ever happen. I'm sure there will always be a way, but there's no one out there crazy enough to actually do it. Virus writters want cheap thrills. Just becuase the hole is there, doesn't mean anyone will exploit it. We may never see the doomsday virus everyone's worried about for the last decade....

This particular vulnerability is kind of amusing. UNIX types have been suffering with buffer overflows for a long time now that have done some nasty things, like giving someone remote root.

In any case, it's pretty lame of M$ to be seeing people fix all their buffer 'sploits on unix-centric applications and then not fix them in an obviously vulnerable location in their own code.

This is especially amusing since they just released that gigantic patch that will ask you before it executes content in an attachment or embedded in a document. They fixed that, but they missed the buffer overflow. All I have to say is HA HA HA.:)

Gee, I wonder why MSNBC sat on this information for <EM>five weeks</EM> before reporting on it at all. Does anyone really think CNN would have gagged itself? Ok, maybe that's not the best example... Still, it does make me wonder.

If you are running Internet Explorer 4.x, 5.0 and 5.01, the fastest solution to avoid this exploit is to immediately upgrade to at least Internet Explorer 5.01 Service Pack 1.

IE 5.01 SP1 (which avoids the hassles that has plagued some IE 5.5 users) not only has a upgraded browser (which corrects a problem where certain.OCX controls specific to IE can cause memory leak problems) but also incorporates Outlook Express 5.5, which is not vulnerable to the exploit described by USSR Labs.

I believe there will be a fix available on the Windows Update web site that will correct this issue by upgradeing a number of.DLL files--but this is only for IE 4.x and IE 5.0/5.01 users.

"Anyway, I think that the problem is people actually getting/using the patch."

I don't thank that is the root of the problem. I think that the problem (considering strictly the Microsoft OS development, not Linux/Unix or anything else) stems from the fact that Microsoft tries to shove too many of these useless active features down the throats of the standard install people who buy their PC from OfficeMax. ActiveX is crap, all the stupid Microsoft proprietary stuff that breeds these security breaches should be curtailed. There shouldn't be huge gaping holes in major packaged components of the Microsoft OS.

If they truly innovate, they shouldn't make these mistakes. This SANS alert [sans.org] goes into more detail about the security hole. Turns out MS's software engineers actually make a series of calls out of order that preempts whatever the user chooses to do. Why does this crap get released?